ASA ACL Issue?

[joshglover72]

I have an issue with an ASA5505 vpn. I can connect to the vpn just fine. I can ping both interfaces of the asa from a vpn client. I can ping the default gateway of the asa network also. From the ASA interface I can ping everything. I cannot however ping or browse to network devices other that the ASA interfaces and gateway from the vpn client. I think it is an ACL issue but I cannot figure out what is the problem. This device sits behind a different firewall and is going to be used just for vpn client connection. Below is the running config, please help. Thanks

hostname ASA
domain-name .com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .com
same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list fass_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list f_splitTunnelAcl standard permit any
access-list 139 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list abc extended permit esp any any
access-list split extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor critical
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 192.168.10.0 255.255.255.0
nat (outside) 0 access-list nonat
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server e5group protocol radius
aaa-server e5group (outside) host 10.10.10.10
timeout 5
key *
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.10.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy e5group internal
group-policy e5group attributes
dns-server value 10.10.10.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value .com
tunnel-group e5group type ipsec-ra
tunnel-group e5group general-attributes
address-pool abc
authentication-server-group e5group
default-group-policy e5group
tunnel-group e5group ipsec-attributes
pre-shared-key *
prompt hostname context

 

[joshglover72]

Here is the config that is on the box as I had the same outcome removing nat and changing subnets.

hostname E5ASA
domain-name .com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .com
same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list fass_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list f_splitTunnelAcl standard permit any
access-list 139 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list abc extended permit esp any any
access-list split extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor critical
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
ip local pool VPN 172.16.2.2-172.16.2.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 192.168.10.0 255.255.255.0
nat (outside) 0 access-list nonat
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server e5group protocol radius
aaa-server e5group (outside) host 10.10.10.10
timeout 5
key *
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.10.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy e5group internal
group-policy e5group attributes
dns-server value 10.10.10.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value .com
tunnel-group e5group type ipsec-ra
tunnel-group e5group general-attributes
address-pool abc
authentication-server-group e5group
default-group-policy e5group
tunnel-group e5group ipsec-attributes
pre-shared-key *
prompt hostname context

 

[unclerico]

lets take this one step at a time. forgetting the vpn config for the time being, if you remove the nat config can your inside resources access external resources such as the Internet??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

Yes as the asa is not doing the primary routing of the network. ASA will only be used for client vpn connectivity.

 

[unclerico]

ok, so you removed the nat configuration so that will take care of the nat bypass requirement for the vpn clients. next thing is to define your vpn pool on a different subnet than your internal networks. you say that this particular asa does not perform routing functions so i'm assuming that your clients are using the perimeter device as the default gateway. if this is the case then you'll need to add a route into the permiter device to make your vpn subnet reachable by your internal hosts.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

I have added the routes to that device previously. The reason I think it is an ACL issue is this.

I am trying to ping, folder browse, RDP, SIP communications from the vpn client: 192.168.10.0 network to the 10.10.10.0 network.

Right now I can ping 10.10.10.1 (Gateway), 10.10.10.254 (asa Outside interface), 192.168.10.2 (asa inside interface) from the vpn client. I cannot ping 10.10.10.5 or 10.10.10.10 (servers), I cannot browse to those servers or RDP into them either.

From the ASA console I can ping all of the above addresses.

 

[unclerico]

what version of code are you running??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

E5ASA up 34 mins 33 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 0024.97d4.830f, irq 11
1: Ext: Ethernet0/0 : address is 0024.97d4.8307, irq 255
2: Ext: Ethernet0/1 : address is 0024.97d4.8308, irq 255
3: Ext: Ethernet0/2 : address is 0024.97d4.8309, irq 255
4: Ext: Ethernet0/3 : address is 0024.97d4.830a, irq 255
5: Ext: Ethernet0/4 : address is 0024.97d4.830b, irq 255
6: Ext: Ethernet0/5 : address is 0024.97d4.830c, irq 255
7: Ext: Ethernet0/6 : address is 0024.97d4.830d, irq 255
8: Ext: Ethernet0/7 : address is 0024.97d4.830e, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

 

[unclerico]

have you checked your logs to see if anything is blocking the traffic?? also, i think i was confused on your setup. let me see if i have this straight. No internal hosts are sitting on the inside of this device right?? ONLY VPN connections are teminated there and nothing else??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

Logs:
E5ASA(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list acl_in; 1 elements
access-list acl_in line 1 extended permit icmp any any (hitcnt=49) 0x08983e47
access-list fass_splitTunnelAcl; 1 elements
access-list fass_splitTunnelAcl line 1 standard permit any (hitcnt=0) 0x9d3d2c9e
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0xee2a29e9
access-list f_splitTunnelAcl; 1 elements
access-list f_splitTunnelAcl line 1 standard permit any (hitcnt=0) 0x6e4c523a
access-list 139; 1 elements
access-list 139 line 1 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xd2a396ab
access-list abc; 1 elements
access-list abc line 1 extended permit esp any any (hitcnt=0) 0xce952d47
access-list split; 2 elements
access-list split line 1 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x289def49
access-list split line 2 extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0 (hitcnt=0) 0x726e53d8
access-list nonat; 1 elements
access-list nonat line 1 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x91866707

I think you are correct, there are no devices connected to the asa, the asa is just a device on the network.

Another thing, when connected to the vpn I can also browse to the html page of the network gateway which has an IP of 10.10.10.1

 

[unclerico]

Just for fun, plug a laptop into one of the ports on the asa internal switch and give it an address in the 192.168.10.0/24 range. Try to access the resources on the 10.10.10.0/24 network.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

Unfortunately I am not onsite to do this. Just using telnet to device and RDP. Testing with vpn client.

 

[unclerico]

your acls definitely are not blocking the traffic. you can see all of hte hit counters at zero except for the icmp traffic. are you 100% sure that all hosts on the 10.10.10.0/24 network are using the 10.10.10.1 as the gateway?? it is very wierd taht you can access that device but nothing else

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

I verified the dhcp server is sending out the correct gateway and it is. Also all static assigned devices also have the correct gateway.

 

[unclerico]

i just want to make sure of something so bear with me. i'd like to go back and just see what will happen if you configure the vpn pool to be something other than 192.168.10.0/24. obviously make sure that 10.10.10.1 has a route to the 10.10.10.254 device for this new subnet. i know you said before that when you did this that you didn't experience any changes, but i wonder if you added the route into the 10.10.10.1 device.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

This is what the routing looks like on 10.10.10.1

Static Routing
Static Routes can be entered in the spaces below. "Subnet IP" is the IP address of the subnet being defined. "Subnet Mask" is the subnet mask of the subnet being defined. "Gateway IP" is the IP address of the DSL Gateway and can be empty for the local subnet.

Subnet IP Subnet Mask Gateway IP




Static Routing Table
10.10.10.0/255.255.255.0,10.10.10.1
192.168.10.0/255.255.255.0,10.10.10.1

 

[unclerico]

the next hop for the 192.168.10.0 network should be 10.10.10.254

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

OK this is goofy. I can now hit 10.10.10.5 via ping, rdp, and file browsing from the VPN.

However, I cannot hit 10.10.10.10 via ping, rdp or file browsing from the vpn, but I can do all those from an rdp session from the outside???????

 

[joshglover72]

Here is some commands on that IP, very strange.

C:\Documents and Settings\Administrator>ping files1

Pinging files1.e5groupllc.com [10.10.10.10] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.10.10.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>nslookup
Default Server: server01.e5groupllc.com
Address: 10.10.10.5

> files1
Server: server01.e5groupllc.com
Address: 10.10.10.5

Name: files1.e5groupllc.com
Address: 10.10.10.10

> exit

C:\Documents and Settings\Administrator>ping 10.10.10.10

Pinging 10.10.10.10 with 32 bytes of data:

Request timed out.
Request timed out.

Ping statistics for 10.10.10.10:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
C:\Documents and Settings\Administrator>ping files1.e5groupllc.com

Pinging files1.e5groupllc.com [10.10.10.10] with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.10.10.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>tracert 10.10.10.10

Tracing route to files1.e5groupllc.com [10.10.10.10]
over a maximum of 30 hops:

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * ^C
C:\Documents and Settings\Administrator>tracert 10.10.10.5

Tracing route to server01.e5groupllc.com [10.10.10.5]
over a maximum of 30 hops:

1 41 ms 42 ms 41 ms server01.e5groupllc.com [10.10.10.5]

Trace complete.

 

[joshglover72]

I cannot hit any other server except for 10.10.10.5 which is the dc, dhcp, and dns server.